Workflow
Captain IV executes a five-phase automated investigation protocol from data input to AI-ready intelligence package, designed to reduce analyst cognitive load and standardize fraud detection across global marketplaces.
User submits investigation parameters through the web interface, providing subject identity, transaction vectors, and intelligence hints.
Input Fields:
• Subject Identity — Name, Email, Phone, Full Address
• Link Analysis — Related Person/Relative, Corporate/Organization Name
• Transaction Vectors — Region, Marketplace, Country Codes (BA/SA/CC/IC), Specific IP Address
• Intelligence Hints — Keywords, additional context, investigator notes
Action: User clicks "Initialize Internet Verification" → System processes data through backend verification engine
Analyzes geographic consistency across transaction vectors and flags high-risk country combinations per SOP guidelines.
Vectors Analyzed:
• Marketplace — Origin of the transaction
• Billing Address (BA) — Payment method country
• Shipping Address (SA) — Delivery destination
• Card Country (CC) — Issuing bank location
• IP Country (IC) — Network origin
Risk Detection:
• Flags mismatches between IP location and Shipping Address (Disguised Address MO)
• Cross-references against High-Risk Country list (NG, GH, ID, RO, ZA, VN, BY, BD, CI, DZ, MA, TN, RU, UA)
• Applies regional exceptions (e.g., DOM-TOM for France, Maghreb for FR marketplace)
• Detects VPN/Proxy usage via ISP analysis (Amazon AWS, Google Cloud, M247, etc.)
Output: Risk factors list with severity tags (CRITICAL, HIGH, SAFE, INFO)
Classifies email domains to identify disposable, privacy-focused, risky, or corporate addresses.
Domain Categories:
• Disposable Email (CRITICAL) — yopmail.com, temp-mail.org, guerrillamail.com, 10minutemail.com, mailinator.com, etc.
• Privacy Email (HIGH) — protonmail.com, tutanota.com, cock.li, secmail.pro
• Risky Email (HIGH) — gmx.com, gmx.net, mail.com, email.com (fraud history)
• Free Email (INFO) — gmail.com, yahoo.com, hotmail.com, outlook.com, icloud.com, aol.com
• Corporate/Private Domain (INFO) — Any domain not in above lists (requires verification)
Output: Email domain classification added to risk factors
Applies intelligent pattern recognition to identify legitimate Modus Operandi (MO) that may trigger false positives in standard fraud checks, and detects fraud patterns.
Legitimate MO Categories:
• Test/Internal Accounts (SAFE) — Ireland IP (Amazon HQ/Servers), "TEST ORDER" keywords, amazon.aws domains
• Military MO (SAFE) — APO/FPO/DPO/BFPO addresses, .mil/.gov domains, rank keywords (SGT, CAPT, MAJOR, etc.)
• Educational MO (SAFE) — .edu/.ac/.sch.uk domains, campus/university/college/dorm keywords
• Corporate MO (INFO) — Verifies employment via LinkedIn + Company name cross-reference
• Correctional MO (INFO) — Inmate/prison/jail/penitentiary/DOC keywords
• Reseller MO (INFO) — Freight forwarder keywords (Aerocasillas, Shipito, Jetbox, etc.)
Fraud MO Categories:
• Munged Address MO (HIGH) — Unnecessary prefixes (HOME:, TO:, SHIP:), repeated characters (##, --)
• Tech Scam MO (CRITICAL) — Remote access keywords (TeamViewer, AnyDesk, LogMeIn, Microsoft Support)
• Family Fraud (INFO) — Surname match between account holder and related person
• Identity Theft (HIGH) — Complex alphanumeric email handle mismatch with name
Output: MO findings with severity levels added to risk factors
Generates targeted investigation queries across multiple categories using global OSINT tools and country-specific databases.
Query Categories:
• IDENTITY — Google name search, name + location, social media scan (LinkedIn/Facebook/Instagram), Google Maps address verification, link analysis (name + related person)
• CORPORATE — LinkedIn employment verification, general corporate check (name + company)
• LOCAL — Marketplace-specific tools (40+ countries): FastPeopleSearch (US), Canada411 (CA), Companies House (UK), PagesJaunes (FR), Das Telefonbuch (DE), Hitta.se (SE), ABN Lookup (AU), Escavador (BR), etc.
• TECHNICAL — Email reputation check (email + scam OR fraud), IP reputation (AbuseIPDB)
• EMAIL INTELLIGENCE — Hunter.io verification, HaveIBeenPwned breach check
Top Queries: Marked with priority flag for immediate investigation (Social Media Scan, Corporate LinkedIn Check, Local Tools, IP Reputation)
Output: Categorized OSINT queries list with URLs ready for one-click access
All collected data is displayed in the web interface and structured into a JSON payload ready for Generative AI analysis via Quick Suite (BI + Knowledge Base) and PartyRock Agent.
Web Interface Components:
• Vector Summary — Visual display of Marketplace, BA, SA, CC, IC consistency
• Network Intelligence — Interactive map with IP geolocation, ISP detection, VPN/Proxy identification
• OSINT Generation — Categorized query buttons (Identity & Social, Corporate, Local, Technical, Email Intelligence) with "OPEN TOP QUERIES" action
• Analysis Findings — Risk factors and MO detections with severity tags (CRITICAL/HIGH/SAFE/INFO)
• AI Cognitive Module — Two integration buttons:
→ Quick Suite Analysis (BI + Knowledge Base) — Opens Quick Suite with JSON payload copied to clipboard
→ PartyRock Agent — Opens PartyRock Agent with JSON payload copied to clipboard
AI Context Hook (JSON Payload):
• context: "Fraud Investigation"
• subject: {name, email, phone, address}
• relations: {linked_person, corporate_entity}
• vectors: {bill, ship, card, ip}
• findings: [array of risk factor texts]
• hints_provided: investigator notes
Deliverables:
• Case ID and timestamp for audit trail (no PII stored)
• One-click access to all OSINT queries
• AI-ready JSON payload for Quick Suite/PartyRock integration
• Network intelligence with geolocation and ISP analysis
• Comprehensive risk assessment with severity classification